Session fixation vulnerability in Enhancesoft's osTicket
osTicket v1.18.2
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Enhancesoft’s osTicket, a free and open-source technical support ticketing system. The vulnerability was discovered by Mario Valiente.
This vulnerability has been assigned the following identifier, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2026-9507: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | CWE-38
The current (legacy) source code is in maintenance mode, whilst Enhancesoft is focusing on a complete rewrite of the code (v2.0). This means that release cycles and security updates for the legacy code have been significantly delayed.
CVE-2026-9507: A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.
The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-9507 | Media | Si | osTicket |
